Group items matching

in title, tags, annotations or url

Payment processor Heartland Payment Systems has been sued over a data breach it disclosed publicly on Inauguration Day last week. The lawsuit, filed on Tuesday in U.S. District Court in Trenton, N.J., alleges that Heartland failed to adequately safeguard the compromised consumer data, did not notify consumers about the breach in a timely manner as required by law, and has not offered to compensate consumers for costs they may incur in protecting themselves from identity fraud. In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion only in the previous week and immediately notified law enforcement and credit card companies. Heartland was alerted in late October to suspicious activity surrounding processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, said Robert H.B. Baldwin Jr., chief financial officer of Heartland, last week. The lawsuit seeks damages and relief for the "inexplicable delay, questionable timing, and inaccuracies concerning the disclosures" with regard to the data breach, which is believed to be the largest in U.S. history. Heartland executives have declined to specify how many consumers or accounts were affected. The company handles 100 million transactions per month for more than 250,000 merchants. The lawsuit, first reported by SearchSecurity news site, also accuses Heartland of negligence in taking more than two months to determine the existence and scope of the breach and criticizes the company for failing to identify which merchants were affected by the breach. The suit was filed on behalf of Woodbury, Minn., resident Alicia Cooper, who was notified last week by her credit union that a card associated with her account was included in the breach. It seeks class action status. A Heartland spokesman said the company could no

It was only a matter of time! Auditor accuracy being examined in lawsuit may signal change in PCI and other compliance processes.

When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor's report. In theory, CardSystems should have been safe. The industry's primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems' auditor, Savvis Inc, had just given them a clean bill of health three months before. Yet, despite those assurances, 263,000 card numbers were stolen from CardSystems, and nearly 40 million were compromised. More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices. They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies. "We're at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it," says Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania's Wharton School who specializes in information security issues. "For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits." The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards. Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secur

Hundreds of credit union members are starting their holiday weekend off without their debit cards after a credit compromise forced the Winthrop Federal Credit Union to deactivate customers' cards. The credit union stayed open Friday until 6 p.m. to give cash to affected customers for the weekend. CARDS FROZEN AS A PRECAUTION Credit union officials say its card processer, Metavante, noticed suspicious activity on three of its MasterCard debit cards and notified the credit union about them. While it was not a security breach, the Winthrop Federal Credit Union decided to freeze a block of cards as a precaution, something that Metavante did not advise them to do. "We really know very little. We are working with the credit processor to identify the possible cards," said bank spokeswoman Cathleen Clark. "We always feel it's better to be safe than sorry." Because of the suspected credit compromise, the credit unions says it felt it was necessary to freeze the cards.

Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems. The company said it took a $2.5 million loss for the quarter as a result of spending more than $12.6 million in legal bills, fines from MasterCard and Visa and administrative costs. The announcement was made during the company's financial earnings call, where Carr said the costs associated with the breach could continue to climb. "Our defense of the claims regarding the processing system intrusion remains ongoing," he said. "Much of the legal work remains to be done and it is difficult to anticipate when these matters will come to a conclusion." Carr also admitted for the first time that since the Princeton, N.J.-based processing giant announced a breach of its systems, some of the payment processor's clients have switched to competitors as a result of the breach. He said some competing processors resorted to scare tactics. "We have had many competitors that have been very supportive and professional, and we certainly don't want to tar all of our competitors with the same brush," Carr said. "We have had some competitors telling merchants falsely that they would be fined $10,000 a day if they stay with Heartland. We think we're through the worst of that." Car said less than $1 million of the breach costs were fines levied by MasterCard and Visa against the company's sponsored banks. The fines are being contested, he said. More than $500,000 relates to a fine assessed by MasterCard against the sponsored banks in which the card company said Heartland failed to take appropriate action upon learning that a breach was suspected. Carr said the fine is in direct violation of both the MasterCard rules and law.

The U.S. Department of Justice's indictment of Albert Gonzalez on Monday seems to have all the elements of a Hollywood crime drama: A hacker gains access to millions of credit and debit card numbers and has the power to take down a nation. Too bad for Tinseltown, the attack itself was about as sexy and a pile of routers. According to the indictment, Gonzalez, 28, gained a foothold into the systems of credit card processors such as Heartland Payment Systems ( HPY - news - people ) and retailers like OfficeMax ( OMX - news - people ), Barnes & Noble ( BKS - news - people ) and TJX Cos. ( TJX - news - people ) using an amateur hacking technique called "wardriving," which uses wireless access points to find vulnerable networks from which to launch attacks. Once connected to those private networks, Gonzalez used a well-known technique called "SQL injection" to trick Web applications into forking over private information that gave him deeper access into networks. Even though it sounds complicated, techies liken this kind of hack to simply turning the front doorknob to get into a house.